In a distributed environment why does the splunk cim setup screen only see the indexes defined on the local search head, not all indexes that exist across the deployment? All other functions work as expected, though i'd like to lower search I/O by using the constrain index configuration of the CIM.
I wouldn't do directly via UI. But would do it in the staging Server -> then push it to deployer -> then to search head cluster
This way all your environments can get the same package
CIM Setup and type ahead work off the local indexes.conf
Even though the SH does not index data, it is very important to have a "complete" indexes.conf on your SH for the two reasons I listed above.
I would recommend that you have an indexes.conf app to push to all search heads from your deployer and/or deployement server.
At present Splunk Distributed search cannot see what is on the "peers" for indexes ,and thus the need for a local indexes.conf that is all inclusive of what you have on the peers.
If you don't want to do this, you can modify the macros by hand for CIM rather than using the CIM Setup.
You can go to settings / Data Models / here you can click on each data model and see in the constraint which macro the DM is using, and then you can modify that under
Is there any potential that this functionality will eventually be moved into the code instead of having the one off app that needs to be managed?
You can manage the filters from within ES
Configure / CIM Setup
The CIM App can be used both with or without ES. So my guess to your question is no.